From c884226819666c7b6410bf575524ff71c3587b2b Mon Sep 17 00:00:00 2001
From: SebClem <seb6596@gmail.com>
Date: Thu, 12 Sep 2024 09:39:13 +0200
Subject: [PATCH] CI: Verify base image signature before build

---
 .github/workflows/build_addon.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/build_addon.yml b/.github/workflows/build_addon.yml
index bf5712b..074f7ff 100644
--- a/.github/workflows/build_addon.yml
+++ b/.github/workflows/build_addon.yml
@@ -13,6 +13,8 @@ env:
   IMAGE: "hassio-nextcloud-backup"
   REPOSITORY: ghcr.io/sebclem
   IMAGE_SOURCE: https://github.com/Sebclem/hassio-nextcloud-backup
+  BASE_ISSUER: https://token.actions.githubusercontent.com
+  BASE_IDENTITY: https://github.com/home-assistant/docker-base/.*
 
 permissions: write-all
 
@@ -120,6 +122,9 @@ jobs:
           echo "url=$(yq .url nextcloud_backup/config.yml)" >> $GITHUB_OUTPUT
           echo "build_from=ghcr.io/home-assistant/${{ matrix.arch }}-base:$(cat nextcloud_backup/.base_version)" >> $GITHUB_OUTPUT
 
+      - name: Check base image signature
+        run: cosign verify --certificate-oidc-issuer-regexp "${{ env.BASE_ISSUER }}" --certificate-identity-regexp "${{ env.BASE_IDENTITY }}" "${{ steps.build_param.outputs['build_from'] }}"
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5